Multiple Critical Vulnerabilities in NesterSoft WorkTime (on-prem/cloud)

Title

Multiple Critical Vulnerabilities

Product

NesterSoft WorkTime (on-prem/cloud)

Vulnerable Version

<= 11.8.8

Fixed Version

No patch available, vendor unresponsive.

CVE Number

CVE-2025-15563, CVE-2025-15562, CVE-2025-15561, CVE-2025-15560, CVE-2025-15559

Impact

critical

Homepage

https://www.worktime.com/

Found

22.05.2025

By

Tobias Niemann (Office Bochum), Daniel Hirschberger, Thorger Jansen (Office Bochum), Marius Renner (Office Berlin) | SEC Consult Vulnerability Lab

Management summary

Multiple vulnerabilities have been identified in the NesterSoft WorkTime employee monitoring software. An unauthenticated attacker is able to exploit an OS command injection vulnerability to completely take over the WorkTime server. A missing authorization check allows an attacker to reset the database configuration. Furthermore, an SQL injection vulnerability can be exploited in the admin interface with minimal permissions in order to read data from the database. In addition, a reflected cross-site scripting (XSS) vulnerability was identified.

A local attacker can exploit the update behavior of the WorkTime monitoring daemon to escalate privileges on the system to NT Authority\SYSTEM.

Vendor description

"WorkTime is a green employee monitoring software with a primary focus on monitoring employees' productivity. It is a non-invasive, transparent, safe, and socially responsible technology. WorkTime offers a safe replacement for every invasive function."

Source: https://www.worktime.com/employee-monitoring 

Business recommendation

The vendor did not respond to our communication attempts anymore. It is currently unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.

Vulnerability overview/description

1) Unauthenticated OS Command Injection (CVE-2025-15559)

An unauthenticated attacker can inject OS commands when calling a server API endpoint. This allows an attacker to execute arbitrary commands on the WorkTime server as NT Authority\SYSTEM with the highest privileges. Attackers are able to access or manipulate sensitive data and take over the whole server.

2) SQL Injection (MSSQL/Firebird Backend) (CVE-2025-15560)

An authenticated attacker with minimal permissions can exploit a SQL injection in a WorkTime server API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can execute arbitrary SQL statements on the database backend and gain access to sensitive data.

3) Local Privilege Escalation (CVE-2025-15561)

An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\SYSTEM.

4) Reflected Cross-Site Scripting (XSS) (CVE-2025-15562)

A server API endpoint reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL prepared by the attacker.

5) Broken Access Control results in Denial of Service (CVE-2025-15563)

Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here.

Proof of concept

1) Unauthenticated OS Command Injection (CVE-2025-15559)

The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable against OS command injection in the “guid” parameter. For this proof of concept the following OS command is injected:

whoami > C:\secwashere

The HTTP request is shown below

< PoC removed >

The injected command is executed on the server as NT Authority\SYSTEM:

Command injection output

2) SQL Injection (MSSQL/Firebird Backend) (CVE-2025-15560)

The following authenticated "widget" API endpoint is vulnerable. Minimal permissions are required to access the server endpoint.

POST /api/widget HTTP/1.1
Host: <server_hostname>:8080
Content-Type: multipart/form-data; boundary=---------------------------295635091325610060643320064167
Content-Length: [...]
-----------------------------295635091325610060643320064167
< removed >
-----------------------------295635091325610060643320064167--

Note that the request requires a token value in the request body. Any user that has access to the WorkTime server in any role has access to a valid token. The three parameters employee, computer and department are injectable. If the Firebird database backend is configured, the injection can be exploited using the following sqlmap command:

< PoC removed >

If the MSSQL backend is used the following sqlmap command can be used with the request from above:

< PoC removed >

Depending on the used MSSQL database user and the database configuration the injection can also be exploited to execute OS commands on the server.

3) Local Privilege Escalation (CVE-2025-15561)

To exploit the vulnerability, the attacker must first create an executable that should be executed with elevated privileges. For this proof of concept the following C code was used.

< PoC removed >

It is required to add versioning information during the linking process. Otherwise WorkTime will not execute the created binary. Any resource file can be used:

1 VERSIONINFO
FILEVERSION 1,0,0,0
PRODUCTVERSION 1,0,0,0
FILEFLAGSMASK 0x3f
FILEFLAGS 0x0
FILEOS 0x40004
FILETYPE 0x1
FILESUBTYPE 0x0
BEGIN
   BLOCK "StringFileInfo"
   BEGIN
       BLOCK "040904b0"  // Language and code page
       BEGIN
           VALUE "CompanyName", "Your Company"
           VALUE "FileDescription", "Your Application Description"
           VALUE "FileVersion", "1.0.0.0"
           VALUE "InternalName", "YourApp"
           VALUE "OriginalFilename", "YourApp.exe"
           VALUE "ProductName", "Your Product"
           VALUE "ProductVersion", "1.0.0.0"
       END
   END
   BLOCK "VarFileInfo"
   BEGIN
       VALUE "Translation", 0x409, 1200
   END

Compile the PoC code

$ x86_64-w64-mingw32-windres resource.rc -o resource.o
$ x86_64-w64-mingw32-gcc exec.c resource.o

The resulting executable must now be renamed to WTWatch.exe and be dropped in C:\ProgramData\wta\ClientExe.

The folder is writable by Everyone:

Folder permissions

After dropping the executable, it is executed by the WorkTime monitoring daemon as NT Authority\SYSTEM:

Privilege escalation

4) Reflected Cross-Site Scripting (XSS) (CVE-2025-15562)

As a proof of concept the following JavaScript payload was used:

alert(document.location)

The type parameter in the POST body is reflected back into the HTML response

POST /report/internet/urls HTTP/1.1
Host: <server_hostname>:8079
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=[...]; aup_accept=accept
type="><script>alert(document.cookie)</script>

The injected payload is reflected back into the HTTP response without proper encoding or filtering and the payload is executed:

Cross Site Scripting

5) Broken Access Control results in Denial of Service (CVE-2025-15563)

An unauthenticated attacker can access the following URL to reset the server's configured database.

< PoC URL removed >

If the attacker presses the displayed button the browser sends the following unauthenticated HTTP request which resets the database configuration:

< Poc removed >

Vulnerable / tested versions

The following version has been tested which was the latest version available at the time of the test:

  • WorkTime v11.8.8

Vendor contact timeline

2025-07-09 Initial mail to the vendor (info@worktime.com)
2025-07-23 First vendor response, requesting unencrypted advisory.
2025-07-29 Sending the advisory via email.
2025-09-29 Asking for a status update regarding any fixes or roadmap, asking whether we should reserve CVE numbers or the vendor.
2025-09-30 Customer support answers that "Firebird for On-Premises" (CVE-2025-24975) is fixed. They ask us which other CVEs we have identified.
2025-10-02 Replying to vendor that we submitted the advisory including all details on 29th July and that CVE-2025-24975 has nothing to do with our advisory. No response.
2025-11-03 Asking the vendor for a status update, informing them about our disclosure deadline again and setting preliminary release date to 19th November.
2025-11-03 Vendor support responds to check with the technical team.
2025-11-17 Vendor responds they are actively working on it this week to analyze the issues and report back to us within a week.
2026-02-04 No response from the vendor so far. Reserved CVE numbers, asking for status update / fixed version numbers, informing vendor about planned public release on 18th February.
2026-02-18 Still no response, public release of advisory.

Solution

The vendor did not respond to our communication attempts anymore. It is currently unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues.

Workaround

None

Advisory URL

https://sec-consult.com/vulnerability-lab/ 

EOF Tobias Niemann, Daniel Hirschberger, Thorger Jansen (Office Bochum), Marius Renner (Office Berlin) / @2026

 

Interested to work with the experts of SEC Consult? Send us your application.
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices.

Back